Hole Fixed for Android, but Patch in Flux

Monday, May 9, 2016 @ 06:05 PM gHale

There is an information disclosure vulnerability affecting a Qualcomm software package found in hundreds of Android device models. Qualcomm fixed the hole, but it is now up to device makers to distribute the fix.

The high-severity rated vulnerability does not affect Nexus devices, said researchers at FireEye, which discovered the high severity hole.

The patch for the issue is not in the Android Open Source Project (AOSP) repository. It will end up included in the latest driver updates for affected devices.

FireEye said its researchers informed Qualcomm about the vulnerability in January and the vendor developed a fix by early March, when it started reaching out to OEMs to let them know about the issue. Now it’s up to the device manufacturers to push out the patch to users.

The flaw exists in an open source software package maintained by Qualcomm and relates to the Android network daemon (netd).

“The vulnerability was introduced when Qualcomm provided new APIs as part of the ‘network_manager’ system service, and subsequently the ‘netd’ daemon, that allow additional tethering capabilities, possibly among other things,” said FireEye’s Jake Valletta in a blog post.

The flaw affects devices running Android 5.0 Lollipop and earlier, which currently account for 75 percent of Android devices.

The vulnerability can result in escalated privileges to the built-in “radio” user, which has permissions that are normally not available to a third-party app. The best way to leverage the vulnerability is via a malicious application granted the “ACCESS_NETWORK_STATE” permission.

Any app can interact with the vulnerable API without raising any suspicion and it’s unlikely that Google Play would flag such an Android app as being malicious, the researchers said.

The vulnerability, though, has limited impact on devices running Android 4.4 and later, which include significant security enhancements.

“On older devices, the malicious application can extract the SMS database and phone call database, access the Internet, and perform any other capabilities allowed by the ‘radio’ user,” FireEye said. “Newer devices are affected less. The malicious application can modify additional system properties maintained by the operating system. The impact here depends entirely on how the OEM is using the system property subsystem.”